[CONFSERVER-43162] XSS in newFileName Field

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 5.10.6
Affects Version/s: 5.9.12
Component/s: Content - Attachments
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

From an external report:

Confluence recently has been tested and, as a result, we were able to verify the existence of at least one persistent XSS vulnerability. This vulnerability is present in the Edit Attachment feature — specifically in the newFileName field — accessible through the following URL:
https://confluence/pages/editattachment.action
As a means to prove the concept proposed by this issue, we added the value "<script>alert(1)</script>file" (without quotes) in the newFileName field. Such as described in the image named xss.png (attached).
After the aforementioned insertion, the script executes successfully whenever a user visits the vulnerable page, which in turn, is available at:
https://confluence/dosearchsite.action?queryString="
As can be seen in the images named xss1.png and xss2.png (attached).

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

xss.png
18/Jul/2016 4:50 PM
33 kB
Ashley Blackmore
xss1.png
18/Jul/2016 4:50 PM
66 kB
Ashley Blackmore
xss2.png
18/Jul/2016 4:50 PM
91 kB
Ashley Blackmore
confluence-search-2.3.13-SNAPSHOT.jar
19/Jul/2016 6:22 AM
157 kB
Feng Xu

relates to

CONFSERVER-43341 Inconsistent escaping returned by Confluence Search

Closed

links to

http://seclists.org/fulldisclosure/2017/Jan/3

Katherine Yabut made changes - 13/Nov/2018 4:40 AM

Workflow

Original: JAC Bug Workflow v3 [ 2884476 ]

New: CONFSERVER Bug Workflow v4 [ 2979395 ]

Owen made changes - 11/Oct/2018 8:48 AM

Workflow	Original: JAC Bug Workflow v2 [ 2788190 ]	New: JAC Bug Workflow v3 [ 2884476 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:15 PM

Workflow

Original: JAC Bug Workflow [ 2722818 ]

New: JAC Bug Workflow v2 [ 2788190 ]

Owen made changes - 17/Aug/2018 3:17 AM

Symptom Severity

Original: Major [ 14431 ]

New: Severity 2 - Major [ 15831 ]

Owen made changes - 02/Jul/2018 6:59 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2385974 ]

New: JAC Bug Workflow [ 2722818 ]

Katherine Yabut made changes - 22/Jun/2017 6:49 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2282501 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2385974 ]

Katherine Yabut made changes - 31/May/2017 5:35 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2223320 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2282501 ]

Katherine Yabut made changes - 31/May/2017 4:57 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2175750 ]

New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2223320 ]

Katherine Yabut made changes - 31/May/2017 2:00 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 1941871 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2175750 ]

Katherine Yabut made changes - 03/Apr/2017 4:02 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v3 [ 1739421 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 1941871 ]

Assignee:: Feng Xu (Inactive)

Reporter:: Jodson Santos

Affected customers:: 0 This affects my team

Watchers:: 5 Start watching this issue

Created:: 07/Jul/2016 9:52 PM

Updated:: 11/Oct/2018 8:48 AM

Resolved:: 28/Aug/2016 11:06 PM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

People

Dates